Deploy & renew SCEP certificates - backend

[sharon-fdm]

Implementation plan:

• [x] Configuration - username/password/urls
  • [x] Credentials should be encrypted at rest in DB
  • [x] Verify admin server when set
  • [x] Catch the issue when NDES runs out of challenges (5 by default) -- we can parse the HTML to figure it out
  • [x] Verify SCEP server -- issue CACerts
  • [x] We should only verify the configuration when it changes, and not every time.
  • [x] Obfuscated on retrieval.
  • [x] Use best practice for clearing the setting.
  • [x] Preprocess inputs
  • [x] Update the errors to match Figma.
  • [x] Delete password when clearing setting
• [x] Challenge variable (only SCEP). Start with $FV_SCEP_CHALLENGE, $FV_SCEP_PROXY_URL, and email.
  • [x] Get challenge from NDES server
  • [x] If challenge cannot be retrieved, put an error into the profile verify flow.
  • [x] (NOOP -- this simply updates DB to be picked up by cron) Allow variable insertion when profile is resent -- it can be simply resent, or resent after error.
  • [x] Get NDES password once per run
  • [x] Tests
  • [x] Add error message for FLEETVAR for DDM and Windows
  • [x] Add validation of unknown variables on profile upload
  • [x] Manually test IDP email
• [x] Proxy -- pass through CACaps, CACerts, PKIOperation
  • [x] Parse/retrieve profile from url path -- make sure it is present (for security)
  • [ ] Save cert expiration, and link it to SCEP profile. New table!!! This is done in nano_cert_auth_associations for MDM certs.
  • [x] Catch error that OTP is wrong? (Need to test if we get any info for this.) If we can catch it, then push out a new profile with updated challenge. Otherwise keep track of the age of the challenge (new field? or when this profile was enqueued?). Push out a new profile when device requests a cert using an outdated challenge.
  • [x] Tests
  • [x] Log errors (differentiate Fleet vs SCEP server errors)
  • [x] Clean up the new certificates table (cron job)
• [x] Global activity feed
  • [x] Tests
• [x] Manual tests
  • [x] 2 hosts with 10 profiles each
  • [x] Setting up NDES without private key set up

[fleet-release]

Renewal of certificates, Secures device fleets in clouds, Data rests encrypted.